CVE-2022-28889: Improper Restriction of Rendered UI Layers or Frames

July 7, 2022 (updated July 15, 2022)

In Apache Druid 0.22.1 and earlier, the server does not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.

References

lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw
nvd.nist.gov/vuln/detail/CVE-2022-28889

Detect and mitigate CVE-2022-28889 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →